The Court of Justice for the European Union (“CJEU”), the supreme court in matters of European Union (“EU”) law, has ruled that, where certain conditions are satisfied, EU citizens may require that links to websites published by third parties, which contain personal data relating to that individual, be removed from search engine results.
The decision, handed down in Case C-131/12 (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González), means that search engine providers such as Google, Yahoo! and Bing may be liable for breaches of EU data protection law if they display links to such websites where the relevant individual has requested that these be removed from Internet search results.
However, despite the significance of the decision, the CJEU has provided little in the way of practical guidance on which search engine providers can rely.
The claim against Google
The CJEU’s decision was provided in response to several questions posed to it by a Spanish court, seeking clarification of how EU data protection law should be applied in a claim brought against Google Inc. and Google Spain (together “Google”) by a Spanish national and Spain’s data protection authority (the AEPD).
The claimant, Mr González, complained to the AEPD about a newspaper article published over 15 years ago about a property auction held in connection with social security debts he owed. Mr González took issue with the continued publication (which was out of date as the matter had been resolved) on the newspaper’s website and his personal data appearing on Google search results and, in each complaint, sought that his personal information be removed or concealed.
The AEPD dismissed Mr González’s complaint against the newspaper, as the paper had been legally justified in issuing the publications. Notwithstanding this, the complaint against Google was upheld on the basis that, by locating and disseminating Mr González’s information, the search engine provider was breaching the fundamental rights and freedoms to which Mr González was entitled under EU law (this was irrespective of whether the or not the data on the original site were deleted). Google appealed the AEPD’s decision to the Spanish courts, which sought clarification on the relevant EU law from the CJEU.
Rights and obligations under EU data protection law
EU data protection law and, in particular, the Data Protection Directive (95/46/EC) seeks to protect the personal data of EU citizens (known as “data subjects”) and provides for certain rights and freedoms which must be respected by persons who collect and use such data. Amongst these are the individual’s right under Article 12(b) to have their personal data rectified, erased or blocked where it is processed not in compliance with the Directive (including, specifically, where the data is inaccurate or incomplete ) and their right under Article 14(a) to object to processing of their data where they have ‘compelling legitimate grounds’.
EU law distinguishes between two types of entities which handle personal data. The first are ‘data controllers’, who determine the purposes and means by which personal data are processed. The second are ‘data processors’ who process (i.e. use, store, distribute or otherwise deal with) the personal data in accordance with the data controller’s instructions. Importantly, liability for breaches of data protection law (whether by the collector or a processor) rests with the data controller.
In this case, the key issues for the CJEU to decide were whether or not:
- Google was ‘established’ (for legal purposes) within the EU and therefore subject to the EU data protection regime;
- Google’s automated aggregation, indexing and storage of personal data constituted ‘processing’;
- Google was a data controller (rather than a mere data processor); and (if the answer to the preceding questions was ‘yes’)
- an individual is entitled to require that a search engine remove links to third party websites containing his or her personal data (which are displayed following a search made on the basis of that individual’s name) irrespective of whether or not the original website publisher can also be required to remove the data in question.
The CJEU’s decision
The CJEU had little difficulty in finding that Google was ‘established’ within the EU and that its activities constituted ‘processing’. Although Google Inc. (the American company which operates Google’s search engine services) was based in the USA, Google’s Spanish subsidiary sold advertising for display alongside search engine results. The CJEU viewed this sales activity as being so closely interlinked to the provision of search engine services as to mean that Google was ‘established’ within the EU. Further, Google’s activities clearly fell within the definition of ‘processing’ and it was irrelevant that Google undertook these activities in respect of both personal data and other types of information available on the Internet.
The CJEU then found that Google was a data controller on that the grounds that, as a search engine operator, it determined the purposes and means of the activities it undertook in relation to the personal data it collected. Relevant factors supporting the CJEU’s finding on this point were that Google undertook activities which differed from those of the original publisher (in this case, the Spanish newspaper), it played a decisive role in the overall dissemination of that personal data, and its search results enabled an Internet user carrying out a search based on an individual’s name to readily obtain a ‘more or less detailed profile’ of that individual.
The CJEU’s conclusion that Google is a data controller is perhaps the most crucial and unexpected part of the judgement and, surprisingly, does not follow the opinion published by Advocate General Jääskinen on the matter in June 2013 (who reached the opposite conclusion).
Having held that Google was a data controller established within the EU, the CJEU still had to decide whether or not the data subject, Mr González, could require Google to remove links to the third party websites containing his personal data. The CJEU ruled that data subjects could indeed require the removal of such links provided that they can establish under Article 12(b) of the Directive that the search engine operator’s processing was not in compliance with the Directive and/or that they otherwise have compelling legitimate grounds to object to the processing of their data under Article 14(a). Importantly, the right to have data removed from search engine results can be exercised even where the original publication was lawful and it is not a requirement for the individual to demonstrate that they had suffered any prejudice as a result of the search results.
The CJEU acknowledged that the right to object to the processing of personal data, and to have links to such data removed, must be balanced against Google’s own economic interests and against the wider public interest but held that, as a general rule the rights of the individual should prevail.
Unsurprisingly the CJEU’s decision has proven controversial and received significant attention in the media. Although at present the decision’s effect on the day-to-day provision of search engine services remains unclear, it is important to remember that it does not provide data subjects with an absolute right to require that links to their personal data be removed from the Internet. The significance of the CJEU’s decision lies primarily in its clarification that search engines are data controllers for the purposes of EU law and that, consequently, they are obliged to (and liable for failing to) respect the rights and freedoms of individual data subjects.
When addressing how the rights of the individual should be protected, the CJEU went no further than describing a vague balancing act between the rights of the data subject against the search engine’s economic interests and the public interest, with the presumption that the data subject’s rights will usually take priority although there were exceptions (for example, where that individual is engaged in public life then the public interest in disclosing data may prevail over that individual’s rights).
In the absence of any caveats, refinement, or further guidance the CJEU’s test leaves a great deal of room for uncertainty, and this is where the decision is likely to cause problems in practice. For example, without a precise test to apply when assessing requests from data subjects for removing links to websites containing their personal data, search engine providers may understandably adopt a cautious approach by readily removing the links. This would mean they are less likely to be liable for breaching data protection law; however, as a result information may be censored or removed despite there being a genuine public interest in its disclosure.
An express ‘right to be forgotten’ is proposed to be included within the draft General Data Protection Regulation that is currently being negotiated as part of the EU’s drive to modernise EU data protection law and strengthen individuals’ rights in relation to their personal data. As such, it may be that the CJEU’s decision has simply accelerated what was an inevitable consequence of data protection law applying to search engine providers. That said, in the meantime further guidance on how to balance the rights of the data subject and the public interest would be welcome for both users and enablers of Internet search engine services.